Hypertext transport protocol (HTTP) is the most popular mechanism for the application layer communication between clients and servers. Like other communication protocols, HTTP-based communication is vulnerable to flood attacks or distributed denial of service (DDoS) attacks. For example, when an attacker transmits a sufficiently large number of “GET” packets to an HTTP server to request access to the resources serviced thereby, the HTTP server eventually reaches its maximum capacity of processing “GET” packets and becomes unavailable to respond to legitimate users.
Presently, several measures are known for detecting HTTP flood attacks. For example, based on the statistics for a specific source IP or cookies of a specific source IP, the specific source IP is determined to be engaging in attacks if a frequency statistic exceeds a pre-determined threshold. Also, specific characteristics of a request (e.g., whether a proxy header is present) can be used to detect attacks. Further, the statistics for the distribution of specific fields for data packets from a specific source IP can be used to detect attacks. Lastly, attacks can be detected by using challenge-response tests, returning pages modified by the HTTP host to include a verification code page, a JavaScript page, HTTP set cookie headers, or the like, which is responded by legitimate client or human users but not by attack programs or bots.
However, the above-described measures typically have the defect of relying on fixed defense strategies, despite the fact that the network environment is ever changing and fixed defense strategies often lead to increased false positive rates (e.g., misidentifying and blocking normal traffic) and/or false negative rates (e.g., letting attack traffic go through the network) over time. Thus, there exists a need for increasing defense efficiency with decreased likelihoods of false positives and false negatives.